RH415 - ch03s05

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start luks-review

Instructions

Verify that an additional disk is available on the serverb machine.

Log in to the serverb machine as the student user. You do not need to enter any password.
```
[student@workstation ~]$ ssh student@serverb
[student@serverb ~]$
```

Use the sudo -i command to change to the root user. Use student as the password.

[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

Verify that the vdb disk is available and has no partition.

[root@serverb ~]# parted -l
...output omitted...
Error: /dev/vdb: unrecognised disk label
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:

Create a partition on the additional disk on the serverb machine. Use the following configuration for the partition:

Field	Value
Disk label	msdos
Partition	primary
FS type	xfs
Starting block	1M
Ending block	1G

Use the parted command to create a partition on the additional disk on the serverb machine. Use the parameters from the previous table.

[root@serverb ~]# parted /dev/vdb \
    mklabel msdos
...output omitted...
[root@serverb ~]# parted /dev/vdb \
    mkpart primary xfs 1M 1G
...output omitted...

Verify that the partition is available.

[root@serverb ~]# parted /dev/vdb print
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
1      1049kB  1074MB  1073MB  primary

Encrypt the vdb1 partition with LUKS. Use redhatRHT as the encryption password.

Use the cryptsetup luksFormat command to encrypt the vdb1 partition with LUKS.

[root@serverb ~]# cryptsetup luksFormat /dev/vdb1

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: redhatRHT
Verify passphrase: redhatRHT

Open the device with an encryptedvdb1 map name.
Use the cryptsetup luksOpen command to name the encrypted partition encryptedvdb1.
[root@serverb ~]# cryptsetup luksOpen /dev/vdb1 encryptedvdb1 Enter passphrase for /dev/vdb1: redhatRHT
Verify that the partition is now available at the /dev/mapper/encryptedvdb1 device mapping.
[root@serverb ~]# ls /dev/mapper/encryptedvdb1 /dev/mapper/encryptedvdb1

Create an XFS file system on the encrypted partition, and mount this file system on the /encrypted directory. Create a file called testfile in the /encrypted directory by using the touch command.

Create an XFS file system on the /dev/mapper/encryptedvdb1 device mapping.

[root@serverb ~]# mkfs.xfs /dev/mapper/encryptedvdb1
meta-data=/dev/mapper/encryptedvdb1 isize=512    agcount=4, agsize=65344 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=0, sparse=0
data     =                       bsize=4096   blocks=261376, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal log           bsize=4096   blocks=855, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

Create the /encrypted directory.
```
[root@serverb ~]# mkdir /encrypted
```
Mount the /dev/mapper/encryptedvdb1 device mapping on the /encrypted directory.
```
[root@serverb ~]# mount -t xfs /dev/mapper/encryptedvdb1 /encrypted
```

Verify that the /dev/vdb1 partition is correctly mounted.

[root@serverb ~]# mount | grep /encrypted
/dev/mapper/encryptedvdb1 on /encrypted type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

Create a file called testfile in the /encrypted directory by using the touch command.
```
[root@serverb ~]# touch /encrypted/testfile
```

Unmount the file system from the /encrypted mount point and lock the encrypted partition.
Unmount the file system from the /encrypted mount point.
[root@serverb ~]# umount /encrypted
Lock the encrypted partition by using the cryptsetup luksClose command.
[root@serverb ~]# cryptsetup luksClose encryptedvdb1
Return to the workstation machine when done.
[root@serverb ~]# logout [student@serverb ~]$ logout Connection to serverb closed. [student@workstation ~]$

Edit and apply the /home/student/RH415/labs/luks-review/nbde_setup.yml Ansible Playbook to associate the LUKS-encrypted partition on the /dev/vdb1 device with Tang servers on the serverc and serverd machines. Use the /home/student/RH415/labs/luks-review/inventory inventory file. Configure SSS encryption so that at least two Tang servers must be available to decrypt the partition.

Use a text editor to edit the /home/student/RH415/labs/luks-review/nbde_setup.yml Ansible Playbook. Add the following content:

---
- hosts: servers
  become: yes
  become_method: sudo

  vars:
    nbde_server_rotate_keys: yes
    nbde_server_manage_firewall: true
    nbde_server_manage_selinux: true

  roles:
    - rhel-system-roles.nbde_server
- hosts: clients
  become: yes
  become_method: sudo

  vars:
    nbde_client_bindings:
      - device: /dev/vdb1
        encryption_password: redhatRHT
        servers:
          - http://serverc.lab.example.com
          - http://serverd.lab.example.com
        threshold: 2

  roles:
    - rhel-system-roles.nbde_client

Apply the /home/student/RH415/labs/luks-review/nbde_setup.yml Ansible Playbook.

[student@workstation ~]$ ansible-playbook \
    -i ~/RH415/labs/luks-review/inventory \
    --ask-become-pass ~/RH415/labs/luks-review/nbde_setup.yml
...output omitted...

On the serverb machine configure the encrypted partition to automatically decrypt and mount on the /encrypted directory at boot time. Reboot the serverb machine.
Log in to the serverb machine as the student user.
[student@workstation ~]$ ssh student@serverb [student@serverb ~]$
Change to the root user. Use the student sudo password.
[student@serverb ~]$ sudo -i [sudo] password for student: student [root@serverb ~]#
Edit the /etc/crypttab file to open the encrypted partition at boot time. Add the following content:
encryptedvdb1 /dev/vdb1 none _netdev
Update the /etc/fstab file to mount the encrypted partition on the /encrypted directory.
...output omitted... /dev/mapper/encryptedvdb1 /encrypted xfs _netdev 1 2
Reboot the serverb machine by using the reboot command.
[root@serverb ~]# reboot Connection to serverb closed. [student@workstation ~]$
After the serverb machine reboots, verify that the LUKS-encrypted partition on the /dev/vdb1 device is decrypted and is mounted automatically on the /encrypted directory.
Log in to the serverb machine as the student user. You do not need to enter a password. The serverb machine might take a few minutes to boot. You can check the boot progress by clicking Open Console on the lab control page. If the serverb machine fails to boot, then you might need to rebuild your lab environment.
[student@workstation ~]$ ssh student@serverb [student@serverb ~]$
Change to the root user. Use the student sudo password.
[student@serverb ~]$ sudo -i [sudo] password for student: student [root@serverb ~]#
Verify that the encrypted partition is mounted on the /encrypted directory.
[root@serverb ~]# mount | grep /encrypted /dev/mapper/encryptedvdb1 on /encrypted type xfs (rw,relatime,seclabel,attr2,inode64,noquota,_netdev)
Verify that the previously created testfile file is still available in the /encrypted directory. When done, return to the workstation machine as the student user.
[root@serverb ~]# ls /encrypted testfile [root@serverb ~]# logout [student@serverb ~]$ logout [student@workstation ~]$
Rotate the keys for the Tang servers by running the /home/student/RH415/labs/luks-review/nbde_setup.yml Ansible Playbook again.
Apply the /home/student/RH415/labs/luks-review/nbde_setup.yml Ansible Playbook.
[student@workstation ~]$ ansible-playbook \ -i ~/RH415/labs/luks-review/inventory \ --ask-become-pass ~/RH415/labs/luks-review/nbde_setup.yml ...output omitted...

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade luks-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish luks-review

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299